public void AuthExpiredRequestIdAreClearedFromCache()
{
Dictionary <string, string> GenerateAuthParameters()
{
return(new Dictionary <string, string>
{
{ "awsAccessKeyId", "accessKey" },
{ "awsSecretKey", "secretKey" },
{ "requestId", Guid.NewGuid().ToString() },
{ "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) }
});
}
var request1 = GenerateAuthParameters();
AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request1);
Assert.Contains(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
var request2 = GenerateAuthParameters();
AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request2);
Assert.Contains(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
Assert.Contains(request2["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
Thread.Sleep(AwsCredentialsAuthenticationHandler.MaxIssueDateDuration.Add(TimeSpan.FromSeconds(3)));
var request3 = GenerateAuthParameters();
AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request3);
Assert.DoesNotContain(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
Assert.DoesNotContain(request2["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
Assert.Contains(request3["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds);
}
public void ProcessAuthorizationHeaderFailWrongSchema()
{
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader("wrong-schema value", new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Contains("Unsupported authorization schema", authResults.Failure.Message);
}
public void ProcessAuthorizationHeaderFailNoSchema()
{
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader("no-schema-value", new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Contains("Incorrect format Authorization header", authResults.Failure.Message);
}
public void AuthInvalidFormatForIssueDate()
{
var authValue = MockAuthorizationHeaderValue("access", "secret", null, "not a date");
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Equal("Failed to parse issue date", authResults.Failure.Message);
}
public void AuthFutureIssueDate()
{
var authValue = MockAuthorizationHeaderValue("access", "secret", null, DateTime.UtcNow.AddMinutes(5));
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Equal("Issue date invalid set in the future", authResults.Failure.Message);
}
public void AuthMissingIssueDate()
{
var authValue = MockAuthorizationHeaderValue("access", "secret", null, null);
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Equal($"Authorization header missing {AwsCredentialsAuthenticationHandler.ClaimAwsIssueDate} property", authResults.Failure.Message);
}
public void ProcessAuthorizationHeaderFailInValidJson()
{
var base64BadJson = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes("you are not json"));
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader($"aws-deploy-tool-server-mode {base64BadJson}", new NoEncryptionProvider());
Assert.False(authResults.Succeeded);
Assert.Equal("Error decoding authorization value", authResults.Failure.Message);
}
public void AuthMissingRequestId()
{
var authParameters = new Dictionary <string, string>
{
{ "awsAccessKeyId", "accessKey" },
{ "awsSecretKey", "secretKey" },
{ "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) }
};
var results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters);
Assert.False(results.Succeeded);
Assert.Equal($"Authorization header missing {AwsCredentialsAuthenticationHandler.ClaimAwsRequestId} property", results.Failure.Message);
}
public void ProcessAuthorizationHeaderSuccess()
{
var request = new HttpRequestMessage();
var creds = new ImmutableCredentials("accessKeyId", "secretKey", "token");
ServerModeHttpClientAuthorizationHandler.AddAuthorizationHeader(request, creds);
if (!request.Headers.TryGetValues("Authorization", out var value))
{
throw new Exception("Missing Authorization header");
}
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(value.FirstOrDefault(), new NoEncryptionProvider());
Assert.True(authResults.Succeeded);
}
public void AuthAttemptReplayRequestId()
{
var authParameters = new Dictionary <string, string>
{
{ "awsAccessKeyId", "accessKey" },
{ "awsSecretKey", "secretKey" },
{ "requestId", Guid.NewGuid().ToString() },
{ "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) }
};
var results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters);
Assert.Null(results);
results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters);
Assert.False(results.Succeeded);
Assert.Equal($"Value for authorization header has already been used", results.Failure.Message);
}
public void AuthPassCredentialsEncrypted()
{
var aes = Aes.Create();
var request = new HttpRequestMessage();
var creds = new ImmutableCredentials("accessKeyId", "secretKey", "token");
ServerModeHttpClientAuthorizationHandler.AddAuthorizationHeader(request, creds, aes);
if (!request.Headers.TryGetValues("Authorization", out var value))
{
throw new Exception("Missing Authorization header");
}
var authPayloadBase64 = value.FirstOrDefault().Split(' ')[1];
var authPayload = Encoding.UTF8.GetString(Convert.FromBase64String(authPayloadBase64));
// This should fail because the payload is encrypted.
Assert.Throws <JsonReaderException>(() => JsonConvert.DeserializeObject(authPayload));
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(value.FirstOrDefault(), new AesEncryptionProvider(aes));
Assert.True(authResults.Succeeded);
var accessKeyId = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsAccessKeyId, x.Type))?.Value;
Assert.Equal(creds.AccessKey, accessKeyId);
var secretKey = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsSecretKey, x.Type))?.Value;
Assert.Equal(creds.SecretKey, secretKey);
var token = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsSessionToken, x.Type))?.Value;
Assert.Equal(creds.Token, token);
}
